Vibetight
Open app
Legal

Security

How we protect your data, what we audit, and the compliance posture we're building toward.

Last updated 2026-05-19

Security is not a feature we bolt on. It's load-bearing in how the product is designed. The same instincts that produced the permission-prompt model drive how we treat data in transit, at rest, and in our internal systems.

The design that matters most

The single most important security property of Vibetight is this: we don't see your source code.

Agents run on devices you control. We coordinate the work: assignments, permissions, event streams, audit trails. The contents of your repository travel from your repo to your device (or your headless worker), are operated on locally, and the result is committed back. The bytes of your code don't pass through our servers.

This isn't a privacy boast for marketing; it's the architecture. Other SaaS coding-agent tools have to extend their security perimeter to cover every file in every customer repo. Ours doesn't.

Data in transit

  • All traffic between clients and our API is TLS 1.2+ only.
  • WebSocket connections use the same TLS termination.
  • Devices use long-lived bearer tokens; the cleartext token never crosses the network after the initial pairing exchange.

Data at rest

  • Primary data store is encrypted at rest by the underlying disk encryption provided by our cloud host.
  • Device authentication tokens are stored as one-way hashes. We can verify a presented token but cannot recover the original.
  • Backups are encrypted with keys we manage.

Authentication

  • Sign-in is Google OAuth. We do not store passwords.
  • Sessions use HTTP-only, Secure, SameSite cookies. The session cookie is unreadable by JavaScript in the browser, which closes off the main XSS-driven token theft vector by design.
  • Personal Access Tokens (for the Maestro MCP endpoint and CLI clients) are scoped and revocable from Settings → Connected Apps.

Audit logging

We log every action that changes state:

  • Auth events (sign-in, sign-out, token issuance, token revocation)
  • Workspace operations (tenant/project/agent creation, member changes)
  • Task lifecycle (creation, status changes, assignments, deletion)
  • Permission decisions (who approved or denied which tool call, with the full input the model produced)
  • Device pairing, sharing changes, and revocations
  • Admin actions including impersonation (with the operator's identity always attached)

You read the audit back in two places: the task's conversation pane (every agent turn + every permission decision, in chronological order) and your repository's git log (every commit on the per-task branch). See the audit trail for the full picture and permissions deep-dive for how decision records are stored.

Incident response

If we identify a security incident affecting customer data, we will:

  1. Investigate and contain immediately.
  2. Notify affected customers (and, where applicable, the relevant supervisory authority) within 72 hours of confirming the incident, in line with GDPR Articles 33 and 34.
  3. Publish a post-mortem with the timeline, root cause, and mitigations.

Report suspected vulnerabilities to security@vibetight.com. We'll respond promptly and will not pursue legal action against good-faith security research.

Operational security

  • Production access is gated behind individual operator accounts. No shared credentials.
  • All operator access is logged and reviewed.
  • Production secrets are stored in a dedicated secrets manager, rotated on a regular cadence and on personnel change.
  • Code deployed to production goes through code review and CI checks.

Compliance posture

We are not yet certified against frameworks like SOC 2 or ISO 27001. That work is in progress. What we can say truthfully today:

  • We are audit-ready. Every action that affects customer data is logged with sufficient detail to support a regulatory inquiry.
  • We design with future certification in mind. Controls, separation of duties, and incident-response runbooks are written, not improvised. You can delete your data at any time.
  • We will announce certifications when they're earned, not before.

If you have specific compliance requirements (HIPAA, SOC 2, ISO 27001, or a customer audit), please reach out at security@vibetight.com. We want to understand what your team needs.

Contact